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Abstract 

Background: Video calls from mobile phones can improve communication during medical emergencies. Lay 
bystanders can be instructed and supervised by health professionals at Emergency Medical Communication 
Centers. Before implementation of video mobile calls in emergencies, issues of information security should be 
addressed. 

Methods: Information security was assessed for risk, based on the information security standard ISO/I EC 
27005:2008. A multi-professional team used structured brainstorming to find threats to the information security 
aspects confidentiality, quality, integrity, and availability. 

Results: Twenty security threats of different risk levels were identified and analyzed. Solutions were proposed to 
reduce the risk level. 

Conclusions: Given proper implementation, we found no risks to information security that would advocate against 
the use of video calls between lay bystanders and Emergency Medical Communication Centers. The identified 
threats should be used as input to formal requirements when planning and implementing video calls from mobile 
phones for these call centers. 



Background 

Cardiac arrest, accidents and traumas are leading causes of 
death worldwide [1-3]. First rescue activities performed by 
lay bystanders, such as calling for help, opening of airways, 
and cardio-pulmonary resuscitation, save lives. Emergency 
Medical Communication Centers (EMCCs) assist bystan- 
ders via telephone, saving time and improving care [4,5]. 
EMCC operators (dispatchers) often have to act on limited 
information, as the description given by bystanders can be 
lacking or misleading [4,6,7] . 

Videoconference enabled mobile phones can be sophis- 
ticated tools for dispatcher assisted resuscitation [7,8], 
and videoconferencing can improve the confidence of lay 
rescuers [9]. Videoconferencing used in communication 
between bystanders and EMCCs would enable dispatch- 
ers to see the patient and the scene of accident, and may 
better instruct bystanders on correct action [7,10,11]. 
The Federal Communications Commission (FCC) in the 
USA announced in November 2010 that America's 9-1-1 
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system should be revolutionized by harnessing the life- 
saving potential of text, photo, and video in emergencies 
[12]. Although a majority of the emergency calls come 
from mobile phones [12], call centers currently lack the 
technical capability to use the full potential of these new 
technologies. 

In healthcare, information security and safety are vital 
parts of the trust between the public and the care provi- 
ders. In most countries this is regulated through laws 
and professional standards. Possible undesired effects 
should be identified before the implementation of video 
calls in EMCCs. In this study, the security challenges of 
using mobile telephones for videoconferencing between 
lay rescuers and EMCCs were analyzed through a quali- 
tative risk assessment of the information security 
aspects. 

Methods 

Risk assessment is a systematic approach for describing 
and calculating risks of undesired events. We conducted 
risk assessment of information security related to the 
use of videoconference calls with mobile phones 
between lay bystanders and EMCCs during medical 
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emergencies. Our risk assessment was based on the 
information security standard ISO/IEC 27005:2008 
developed by the International Organization for Stan- 
dardization (ISO) and the International Electrotechnical 
Commission (IEC) [13]. In this standard, risk assessment 
is described as a process consisting of risk identification, 
risk estimation and risk evaluation. Risk assessment is 
performed after context establishment, and the process 
may be iterative (Figure 1). 

Risk assessment group, workflow and time frame 

Risk assessment was performed by a group, led by a risk 
assessment expert (EH). Group participants were chosen 
from our own institution, based on competencies and 
background, such that different areas of expertise were 
covered. One anesthetist nurse, one anesthesiologist, 
one lawyer, and two computer scientists took part in 
this group, which started its work in 2006. After one 
iteration of risk assessment including three group meet- 
ings, we found that a better understanding of the 
intended service was needed, and agreed to postpone 
further iterations until the completion of a research pro- 
ject [7,9,14]. We expanded our group with a dispatcher 
nurse who had used videoconferencing in scenarios of 
simulated cardiac arrest, and the risk assessment was 
completed through another two iterations with email 
discussions and eight group meetings during 2009 and 
2010. 
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Figure 1 The workflow of risk assessment according to the 
information security standard ISO/IEC 27005:2008 



Context establishment 

The context for this risk assessment was set by describing 
the service, legal requirements and definitions. Legal 
requirements for communication of sensitive patient- 
identifiable information is set by national and European 
legislation [15-17]. The consequence of risks were 
defined in three categories (low, medium, high), and 
values for likelihood were described using four categories 
(low, medium, high, very high) (Table 1). Risk (R) is the 
product of consequence (C) and likelihood (L): R = C x 
L. In qualitative risk assessment, risk is illustrated in a 
two dimensional matrix as a combination of consequence 
and likelihood. We defined three levels for risks; low, 
moderate and severe (Table 1). Threats with severe risk 
are usually unacceptable. If they cannot be avoided or 
their risk reduced, it may imply that the new service 
should not be implemented. 

Risk assessment 

Threats to information security with consequences for the 
organization or patients were identified. We considered 
threats related to legislation and regulations, economic 
consequences, reputation, life, and health. 

Identification of threats was performed as a structured 
brainstorming in the risk assessment group. All ideas for 
possible risks were noted and no risks were censored or 
rejected at this point. During risk assessment we focused 
on confidentiality (c), quality (q), integrity (i), and avail- 
ability (a) of information, terms defined by Norwegian 
legislation as the aspects of information security [15,16]. 
Every threat was described and given a unique identifier 
where the first character was used to indicate the type of 
security aspect (c, q, i, a). 

Each threat was analysed by the team for the conse- 
quence and the likelihood that it would occur, according 
to definitions (Table 1). Risk assessment was done for 
the new service relative to the existing service with 
audio only communication. This means that risks in the 
existing service were excluded, unless the new service 
would change the risk level. 

The identified threats were placed in a two dimen- 
sional matrix according to their consequence and likeli- 
hood. Each threat was evaluated, and possible actions to 
reduce the risks were suggested. The process was con- 
tinued until we reached group consensus. 

Results 

Twenty distinct threats and unwanted situations were 
identified and described (Table 2). The likelihood and 
consequence were estimated for each threat. The risk 
matrix presents all threats with their id, short description 
and risk level as a combination of likelihood and conse- 
quence (Figure 2). No threats had a severe risk level, but 
threats with a high level of consequence should be 
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Consequence 

For the hospital or the service: No violation of law; or negligible economic loss which can be restored; or small reduction of reputation 
in the short run. 

For the patient: A minor impact on health; or negligible economic loss which can be restored; or small reduction of reputation in the 
short run. 

For the hospital or the service: Offence, less serious violation of law which results in a warning or a reprimand; or economic loss which 
can be restored; or reduction of reputation that may influence trust and respect. 

For the patient: A minor temporary impact on health; or economic loss which can be restored; or small reduction of reputation caused 
by revealing of less serious information (e.g. blood pressure level). 

For the hospital or the service: Violation of law which results in penalty or fine; or a large economic loss which cannot be restored; or 
serious loss of reputation that will influence trust and respect for a long time. 

For the patient: Death or permanent reduction of health; or a large economic loss which cannot be restored; or serious loss of 
reputation caused by revealing of sensitive and offending information. 

Likelihood 

Rare, occurs less than every 100th connection. Detailed knowledge about the system is needed; or special equipment is needed; or it 
can only be performed deliberately. 

May happen, occurs between every 10th and everylOOth connection. Normal knowledge about the system is sufficient; or normally 
available equipment can be used; or it can be performed deliberately. 

Quite often, occurs between every 3rd and everylOth connection. Can be done with minor knowledge about the system; or without 
any additional equipment being used; or it can be performed by wrong or careless usage. 

Very often, occurs more often than every 3rd connection. Can be done without any knowledge about the system; or without any 
additional equipment being used; or it can be performed by wrong or careless usage. 

Risk level 

Acceptable risk. The service can be used with the identified threats, but the threats must be observed to discover changes that could 
raise the risk level. 

Can for this service be an acceptable risk, but for each threat the development of the risk should be monitored to consider whether 
necessary measures have to be implemented. 

Not acceptable risk. Cannot start using the service before risk reducing treatment has been implemented. 



Table 1 Definitions of consequence, likelihood and risk level 

Category Description 



Low 



Medium 



High 



Low 

Medium 

High 

Very high 



Low 

Moderate 
Severe 



watched closely, as an increase in likelihood can make 
these threats severe. We were not able to conclude on 
likelihood or consequence for nine threats, either because 
it would be dependent on the implementation of the 
technology, or related to issues that can only be answered 
through clinical trials. It is possible that these threats 
could have an unacceptable severe risk. 

Different options for risk treatment were suggested. 
Several threats can be handled by proper implementa- 
tion: the lack of availability of video logs (a3, a4, a5), the 
inability to forward video calls (a9), and unauthorized 
access to patient information (c2, c3). The loss of dis- 
patchers' identity protection (ml) can be avoided with 
one-way videoconferencing, or by transmitting computer 
generated images of a dispatcher (an avatar) [18]. 

Some threats will be influenced by the intellectual 
capacity of dispatchers. Training of dispatchers may 
reduce the risk level of those threats, such as poor image 
quality (q2), misunderstandings due to interpretation of 
images or several patients in the same emergency (q3, q4, 
q5), and the images receiving too much attention from 
dispatchers or bystanders (m2, m3). For some dispatchers 
and in some situations the image may be helpful, while at 
times images can be an extra burden. EMCCs commonly 



use criteria based protocols for advice during emergen- 
cies [19-21]. Such protocols should be adapted for video 
based dispatch [7,14], which may contribute to reduction 
of the risk level for these threats. 

The risk level of the remaining threats will be largely 
influenced by factors external to EMCCs, such as the 
sound quality (ql), time delays when establishing video- 
conferencing (al), the capacity and security of the tele- 
communication networks (a2, a7, cl), weather conditions 
(a6), and the quality and capacity of callers' mobile 
phones (a7, a8). The risk level of these threats are likely 
to decrease with time, as technology and solutions 
mature. If users experience problems with sound quality 
or other technical problems during a video call, a switch 
to audio call may solve the problem, but with a loss of 
time. 

Discussion 

This risk assessment identified twenty threats to informa- 
tion security for the use of mobile video calls between 
EMCCs and the public. None of these have a severe risk 
level (i.e., a combination of high consequence and likeli- 
hood). We have suggested ways to decrease or eliminate 
the risks, by proper implementation, organization, and 
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Table 2 Description of threats 

Threat id Description 

Threats to quality 

q1 Sound quality with mobile phone videoconferencing is usually worse than regular calls between mobile phones. Reasons include poor 

bandwidth and mobile phones usually in loudspeaker mode during video calls, often with disturbing background noise. This may result 
in misunderstandings, lost information and delays. 

q2 Poor image quality is a common problem with video calls from mobile phones. Although likely to improve with improved technology, 

camera shake, poor light and weather conditions will influence on the image quality. Some image quality problems are due to current 
methods for video compression. 

q3 The caller may believe that the image is a sufficient description, therefore not describing the situation appropriately, which leads to 

misinterpretations. 

q4 The dispatcher may believe the image describes the situation sufficiently, and therefore do not ask for important information, which 

leads to misinterpretations. 

q5 When there are several patients in the same accident or emergency, it is possible to mix-up images from one patient to what is said 

about another patient. The image may clarify or complicate matters when much information needs to be sorted out. 

Threats to availability 

al It usually takes more time to establish a phone call with video. Today this is usually a matter of a few seconds, time which may be 

saved in successful guidance trough video communication. The caller may however be negatively affected by delays during initiation of 
contact with the EMCC, which in turn may affect how the case is handled. 

a2 The capacity of mobile phone networks is often reached during larger accidents. Videoconferencing demands more bandwidth than 

audio communication, which may be a problem when many people are calling at the same time. In some mobile networks video calls 
use a reserved bandwidth, not interfering with the bandwidth used for audio calls. Depending on traffic and network configuration, it 
can be easier or more difficult to make a call go through when using video calls. 

a3, a4, a5 EMCCs commonly have audio logs of all communication with the public for playback. If the connection with the caller is lost and 

cannot be reestablished, audio playback may provide essential information to solve the emergency. Audio logs can also be useful for 
debriefing, or when questions later arise if the EMCC should have handled a case differently. If, for some reason, the log is not 
available, it may negatively affect patients in cases where connection is lost (threat a3). It may negatively influence the organization if 
logs are not available for documentation (threat a4) or debriefing (threat a5). There are several causes for these threats to occur, either 
that video is not recorded by default implementation, that playback of videorecordings is difficult, or that such recordings are 
corrupted or destroyed. 

a6 Mobiles used for videoconferencing is kept out from the body and has greater exposure to weather conditions such as rain and cold 

temperatures. This may cause equipment failure and loss of connection. 

a7 Technical difficulties because of less stable connection during mobile videoconferencing can delay or disrupt the exchange of 

information. 

a8 Videoconferencing drain more battery on mobile phones than does audio communication. Use of video may therefore cause more lost 

connections. With empty batteries, communication can not be reestablished. 

a9 In some situations the dispatcher may want to forward the call to another dispatcher either within the same EMCC or in a different 

EMCC. If this is not possible during video calls, the dispatcher may shut down the call and establish an audio call instead. This comes 
with a risk of wasting time. 

Threats to confidentiality 

c1 Telephone communication can be wiretapped. While it takes more advanced technology and skills to wiretap a live videoconference 

over a mobile network, the public interest in images from emergencies suggest increased willingness to invest in such technology. 

c2 Stored images are likely to be of greater interest and may contain more sensitive patient information than audio logs. Stored video and 

images may therefore increase attempts of unauthorized access. 

c3 If visitors are allowed into the EMCC, or the images on computer screens can be observed by people outside the EMCC, this may 

reveal patient sensitive information. This threat is dependent on local conditions such as placement of computer screens and access 
restrictions to the EMCC. 

Threats to integrity 

No threats to data integrity were identified. 

Mixed threats 

ml With two-way videoconferencing the caller may identify the dispatcher. Dispatchers have been concerned that the loss of identity 

protection makes them more vulnerable to insults [7]. 

m2 The EMCC is a demanding work environment, and the introduction of videoconferencing may distract or increase demands on 

dispatchers. In the worst case, this may cause inefficiency or delays. 

m3 The caller may focus on filming rather than helping the patient. The dispatcher may ask for images, and disturb or interrupt the 

treatment the caller otherwise would have initiated. Similar concerns were also raised when resuscitation instructions first was provided 
by telephone [29]. 
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Likelihood 


Consequence 
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Figure 2 Risk matrix presenting the identified threats with identifier and short description. Darker shades of grey indicates higher level of 
risk: light grey low risk, medium grey moderate risk and darkest grey severe risk. White background is used for threats with unknown risk 



staff training. Potential delays and poor sound quality 
were the greatest technical risks of mobile video calls. 
These threats are likely to decrease as technology 
improves. 

Based on this risk assessment, we believe it is possible 
to implement videoconferencing from the public as a 
service in EMCCs with acceptable risks. However, some 
critical success factors of information systems in the 
organization will only be discovered during the imple- 
mentation process [22]. A change in work environment 
may impose unacceptable loads on human cognitive 
abilities and potentially lead to errors, especially in a 
transition phase when new routines are being adopted 
[23]. When introducing a new service in the high stress 
environment of EMCCs, the process should therefore be 
closely monitored for unwanted incidents, even if unac- 
ceptable risks have not been identified at earlier stages. 
Risk assessment should be repeated at regular intervals 
to ensure that changes in environment, organization, or 
system do not introduce new unacceptable threats and 
that known threats do not increase in likelihood or con- 
sequence resulting in unacceptable risk levels for the 
system. 

Risk assessment is a method for identification and eva- 
luation of possible factors that may affect different aspects 
of change processes and their outcome, such as impact on 
services, organization, customers and users. Even the most 
thorough risk assessment process can miss out on some 
unforeseen consequences. ISO/IEC 27005:2008 outlines 
procedures for risk assessment, but several of the steps 
can be addressed by using different approaches. We used 
qualitative assessments by a multi-professional team. The 
composition of the team is important to cover different 
threats, but is no guarantee that all possible threats are 



found. Qualitative studies rarely give hard facts, but they 
can provide information and insight, and guide further 
research [24,25]. Our approach was prospective and 
addressed a future system at a high level, and has similari- 
ties with the Structured What-If Technique (SWIFT), 
which is a systematic team-oriented technique for hazard 
identification suitable for considering systems where 
human and organizational factors predominate [26,27]. 
Other methods for risk identification such as Hazard and 
Operability study (HAZOP), Failure Modes and Effects 
Analysis (FMEA), and Fault Tree Analysis (FT A) focus on 
process flow or hardware, and may be better suited for 
assessment of equipment details [26]. When risk assess- 
ments are carried out before new systems are implemen- 
ted, sometimes even before they are constructed, it is not 
possible to do accurate measurements. Risk assessment as 
a scientific method therefore needs to be carried out in a 
systematic and critical fashion so that each issue can be 
discussed and debated openly. There is always a risk of 
bias in such discussions, resulting in overly positive or 
overly negative analysis. Our risk assessment was based on 
previous research in the field [7,9,14,28], and a part of sys- 
tematic development of knowledge. 

The result of risk assessments provides information for 
risk treatment (Figure 1), which involves decisions on 
how to reduce risk in an organization. The threats identi- 
fied in this risk assessment should be used as input to 
formal requirements when planning and implementing 
video calls for EMCCs. The benefit of doing risk assess- 
ment before system implementation is that information 
security can be incorporated from the beginning. 

For all health care service there are several risks 
involved - for the patients, for health care workers, for 
the organization, and for the service itself. Our risk 
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assessment has only focused on the purpose of a com- 
munication system, namely information exchange and 
storage. Risks related to different types of patient condi- 
tions should be identified through clinical studies. 

A threat may have different outcomes, from common 
incidents with no practical implications, to (very rarely) a 
chain of events with disastrous results. Poor sound quality, 
for instance, may be acceptable in many situations, but 
can in other cases cause misunderstandings that lead to 
worse patient treatment and possible patient death. For a 
new service there are no measurements of unwanted 
events, therefore assessments of associated consequence 
and likelihood become approximations. We found this led 
to a worst-case type of thinking that may have overesti- 
mated the risk level of some threats. Further studies are 
therefore needed to map type of errors and problems that 
may arise when videoconferencing is used during real 
emergencies. 

Conclusions 

Video based communication with lay bystanders during 
prehospital emergencies may potentially improve the 
quality of prehospital patient care. In previous studies of 
simulated cardiac arrest, we have found that video calls 
are likely to improve confidence and reduce communica- 
tion problems during prehospital medical emergencies 
[7,9] . In this risk assessment, we used qualitative methods 
to find potential threats to information security of using 
such video calls. This study has revealed several issues 
that should be considered carefully in requirement speci- 
fications for such systems. We did not identify potential 
threats with unacceptable high risk levels, which indicates 
that it is possible to implement the reception of video 
calls from the public in dispatch centers. The time is ripe 
to initiate a discussion on how emergency call centers 
should implement the new possibilites given by the 
mobile multi-media devices carried by a large portion of 
the population. 
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